View Full Version : PCI Compliance project
jonadall
06-13-2007, 08:11 AM
Hi,
I am starting on a PCI DSS compliance project for a small (Level 4) merchant.
From your experience which is the most difficult requirement to implement?
Also, do the card associations have there own standards which requiring compliance? E.g. VISA have CISP, MasterCard SDP... Are these different from PCI DSS? If so, can you mention what are the main differences?
Thanks.
wconway
06-13-2007, 11:22 AM
Congratulations...and welcome to the madness! :)
I'd suggest a good first step is to limit your PCI scope. That is, I'd take a look at where and why I was keeping the PAN, and try my best to eliminate as many -- if not all -- of those as possible. If you don't keep the PAN or other sensitive cardholder data, your PCI effort is greatly eased. It becomes more a business policy and procedures project than a major technical/network segmentation project.
Since you are Level 4, check with your acquirer for validation requirements. You need to complete the SAQ and have quarterly scans, but based on Visa's requirements, it is up to your acquirer whether you submit them. You are right to point out there are differences -- in my space (higher ed), Amex and Visa can assign different merchant levels. The reason for all this is that while the SSC sets the standards, each card brand enforces them. The compliance requirements for all merchants are the same, the validation is what varies by Level.
david.taylor99
06-13-2007, 09:39 PM
I've used a chart from a Verisign study that shows 79% of Level 1 merchants fail their PCI DSS assessments due to #3. Email me if you want more info or the chart.
Dave Taylor
President,
PCI Security Vendor Alliance
David.Taylor@PCIAlliance.org
jonadall
06-14-2007, 04:15 AM
Thanks for your help :)
MissedDeadline
06-21-2007, 03:30 PM
I've used a chart from a Verisign study that shows 79% of Level 1 merchants fail their PCI DSS assessments due to #3. Email me if you want more info or the chart.
Dave Taylor
President,
PCI Security Vendor Alliance
David.Taylor@PCIAlliance.org
David,
Could you upload that doc here as an attachment?
Thanks
wconway
06-21-2007, 03:48 PM
I have a pdf of the Verisign article I downloaded. I don't have the link but could forward the pdf if you are interested. I am reluctant to post without copyright or other clearance from the authors.
Walt
RARBE
06-22-2007, 11:21 AM
Walt
I would be intersted in a copy please
KR
Richard
vBulletin® v3.7.4, Copyright ©2000-2010, Jelsoft Enterprises Ltd.